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Abstract 



The standard definition of quantum state randomization, which is the 
quantum analog of the classical one-time pad, consists in applying some 
transformation to the quantum message conditioned on a classical secret 
key k. We investigate encryption schemes in which this transformation is 
conditioned on a quantum encryption key state instead of a classical 
string, and extend this symmetric-key scheme to an asymmetric-key model 
in which copies of the same encryption key pk may be held by several 
different people, but maintaining information-theoretical security. 

We find bounds on the message size and the number of copies of the 
encryption key which can be safely created in these two models in terms of 
the entropy of the decryption key, and show that the optimal bound can 
be asymptotically reached by a scheme using classical encryption keys. 

This means that the use of quantum states as encryption keys does not 
allow more of these to be created and shared, nor encrypt larger messages, 
than if these keys are purely classical. 

1 Introduction 

1.1 Quantum Encryption 

To encrypt a quantum state cr, the standard procedure consists in applying some 
(unitary) transformation Uk to the state, which depends on a classical string 
k. This string serves as secret key, and anyone who knows this key can per- 
form the reverse operation and obtain the original state. If the transformations 
Ui,U2t ■ ■ are chosen with probabilities pi,p2, • ■ • , such that when averaged 
over all possible choices of key, 



the result looks random, i.e., close to the fully mixed state, TZ{<j) ~ I/d, this 
cipher can safely be transmitted on an insecure channel. This procedure is 
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called approximate quantum state randomization or approximate quantum one- 
time pad [U [21 [3] or quantum one-time pad, quantum Vernam cipher or quantum 
private channel in the case of perfect security [H [3 H], and is the quantum 
equivalent of the classical one-time pad. 

An encryption scheme which uses such a randomization procedure is called 
symmetric, because the same key is used to encrypt and decrypt the message. 
An alternative paradigm is asymmetric-key cryptography, in which a different 
key is used for encryption and decryption. In such a cryptosystem the encryption 
key may be shared amongst many different people, because possessing this key 
is not sufficient to perform the reverse operation, decryption. This can be 
seen as a natural extension of symmetric-key cryptography, because this latter 
corresponds to the special case in which the encryption and decryption keys are 
identical and can be shared with only one person. 



Although the encryption model given in Eq. (1) is symmetric, by replacing 
the classical encryption key with a quantum state we can make it asymmetric. 
To see this, let us rewrite [Eq. (1) 



as 



7^(a) ==^PfctrK [c/(|A;)(A;|^®a^) C/t] , (2) 



where U :— J2k ® ^k- The encryption key in Eq. (2) \k){k\, is diagonal 
in the computational basis, i.e., classical, but an arbitrary quantum state, pk, 
could be used instead, e.g., 

k 

for some set of quantum encryption keys {pk}k- 

If the sender only holds such a quantum encryption key state pk without 
knowing the corresponding decryption key k, then the resulting model is asym- 
metric in the sense that possessing this copy of the encryption key state is enough 
to perform the encryption, but not to decrypt. So many different people can hold 
copies of the encryption key without compromising the security of the scheme. 
It is generally impossible to distinguish between non-orthogonal quantum states 
with certainty (we refer to the textbook by Nielsen and Chuang [7\ for an in- 
troduction to quantum information) , so measuring a quantum state cannot tell 
us precisely what it is, and possessing a copy of the encryption key state does 
not allow us to know how the quantum message got transformed, making it 
impossible to guess the message, except with exponentially small probability. 

Up to roughly log TV copies of a state can be needed to discriminate between 
N possible states [5], so such a scheme could allow the same encryption key to 
be used several times, if multiple copies of this quantum key state are shared 
with any party wishing to encrypt a message. The scheme will stay secure as 
long as the number of copies created stays below a certain threshold. What 
is more, the security which can be achieved is information-theoretic like for 
standard quantum state randomization schemes [5] , not computational like most 
asymmetric-key encryption schemes. 

Such an asymmetric-key cryptosystem is just a possible application of a 
quantum state randomization scheme which uses quantum keys. It is also in- 
teresting to study quantum state randomization with quantum keys for itself 
(in the symmetric- key model), without considering other parties holding extra 
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copies of the same encryption key. In this paper we study these schemes in both 
the symmetric-key and asymmetric-key models, and compare their efficiency 
in terms of message size and number of usages of the same encryption key to 
quantum state randomization schemes which use only classical keys. 

1.2 Related Work 

Quantum one-time pads were first proposed in [U [5] for perfect security, then 
approximate security was considered in, e.g., [T1[H[3]. All these schemes assume 
the sender and receiver share some secret classical string which is used only 
once to perform the encryption. We extend these models in the symmetric-key 
case by conditioning the encryption operation on a quantum key and considering 
security with multiple uses of the same key, and then in the asymmetric-key case 
by considering security with multiple users holding copies of the same encryption 
key. 

The first scheme using quantum keys in an asymmetric-key model was pro- 
posed by Kawachi et al. JHij although they considered the restricted scenario 
of classical messages. Their scheme can encrypt a 1 bit classical message, and 
their security proof is computational, as it reduces the task of breaking the 
scheme to a graph automorphism problem. They extended their scheme to a 
multi-bit version [TT], but without security proof. Hayashi et al. [9j then gave 
an information-theoretical security proof for [llj . The quantum asymmetric-key 
model we consider is a generalization and extension of that of \TU\ [TT] . 

1.3 Main Contributions 

The main result of this paper is that using quantum encryption keys has no 
advantage over classical keys with respect to the number of copies of the en- 
cryption key which can be safely created and to the size of the messages which 
can be encrypted, both in the symmetric and asymmetric-key models. Contrary 
to what was believed and motivated previous works with quantum keys, the in- 
trinsic indistinguishability of quantum states does not allow more of these to be 
created and shared as encryption keys, than if these keys are purely classical. 

To show this, we first find an upper bound on the quantum message size and 
on the number of copies of the encryption key which can be securely produced. 
We show that if t copies of the key are created and if the quantum messages 
encrypted are of dimension d, then they have to be such that tlogd < H (/C) for 
the scheme to be secure, where H (/C) is the entropy of the decryption key. 

We then construct a quantum state randomization scheme and show that 
it meets this upper bound in both the symmetric and asymmetric-key models. 
The encryption keys this scheme uses are however all diagonal in the same 
bases, i.e., classical. This means that the scheme with classical keys is optimal 
in terms of message size and number of usages of the same key, and no scheme 
with quantum keys can perform better. 

We also show how to extend quantum asymmetric-key encryption schemes 
for classical message (such as [TT]) to encrypt quantum messages as well. To do 
this, we combine these schemes for classical messages with a standard quantum 
one-time pad, and prove that the resulting scheme is still secure. 
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1.4 Organization of the Paper 



In I Sect ion "2I we develop the encryption models with quantum keys sketched 
in this introduction. We first redefine quantum state randomization schemes 
using quantum keys instead of classical keys in [Section 2.11 and generalize the 
standard security definition for multiple usage of the same key in this symmetric- 
key model. In [Section 2.21 we then show how to construct an asymmetric-key 
cryptosystem using such a quantum state randomization scheme with quantum 
keys and define its security. ISection 2.31 contains a few notes about the special 
case of classical messages, which are relevant for the rest of the paper. 

In ISection "3I we find an upper bound on the message size and number of 
copies of the encryption key which can be created, both for the symmetric and 
asymmetric-key models. 

In lSection 4l we construct a quantum state randomization scheme which uses 
classical encryption keys, but which meets the optimality bounds for quantum 
keys from the previous section in both models. We give this construction in 
three steps. First in ISection 4.11 we construct a scheme which can randomize 
classical messages only. Then in lScction 4.2l we show how to combine this scheme 
for classical messages with a standard approximate quantum one-time pad to 
randomize any quantum state. And finally in ISection 4.31 we calculate the key 
size of the scheme proposed and show that it corresponds to the bound found 
in ISection 31 

We conclude in lSection Sl with a brief summary and further comments about 
the results. 

2 Encryption Model 

2.1 Quantum Encryption Keys 

Let us consider a setting in which we have two parties, a sender and a receiver, 
who wish to transmit a quantum state, cr, from one to the other in a secure 
way over an insecure channel. If they share a secret classical string, fc, they 
can apply some completely positive, trace-preserving (CPTP) map £k to the 
quantum message and send the cipher £k{(^)- If the key k was chosen with 
probability pk , to any person who does not know this key the transmitted state 
is 

nia) ^J^Pk^kia), (4) 

k 

which will look random for "well chosen" maps £k- This is the most general 
from of quantum state randomization [6]. 

If instead the sender has a quantum state pk , he can apply some CPTP map 
£ to both the shared state and the quantum message, and send £{pk ® cr). So 
for someone who does not know pk the state sent is 

Ilia) ^Y,Pk£{pk(^a). (5) 

k 

It is clear that Eqs . | (4) | and |( 5 ) | produce equivalent ciphers, because for every 
set of CPTP maps {£k}k there exists a map £ and set of states {pk}k such that 
for all messages cr, £k{<y) = £{pk ® cr), and vice versa. The difference lies in 
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the knowledge needed to perform the encryption. In the first case ( Eq. (4) ) 



the sender needs to know the secret key k to know which CPTP map £k to 



apply. In the second case (Eq. (5) I the sender only needs to hold a copy of 
the encryption key pk, he does not need to know what it is or what secret 
key k it corresponds to. This allows us to construct in [Section 2.21 a quantum 
asymmetric-key cryptosystem in which copies of the same encryption key pk can 
be used by many different users. In this section we focus on the symmetric-key 
model and define quantum state randomization (QSR) schemes with quantum 
encryption keys and their security in this model. 

Definition 1. Let B{T-C) denote the set of linear operators on H. 

A quantum state randomization (QSR) scheme with quantum encryption 
keys consists of the following tuple, 

T = {PK,{pk}keK,S)- 

Pk € B{T-Lk) are density operators on a Hilbert space T-Lk- They are called 
encryption keys and are indexed by elements k € IC called decryption keys. 

Pk{') is a probability distribution over the set of decryption keys /C, corre- 
sponding to the probability with which each en/decryption key-pair should be 
chosen. 

£ : B{Hk(^'Hs) B{Hc), is a completely positive, trace-preserving (CPTP) 
map from the set of linear operators on the joint system of encryption key and 
message Hilbert spaces, Hk and Hs respectively, to the set of linear operators 
on the cipher Hilbert space Tic, and is called encryption operator. 

To encrypt a quantum message given by its density operator a e BiJis) 
with the encryption key p^, the encryption operator is applied to the key and 
message, resulting in the cipher 

Pk,a ■= £{pk ® cr). 

IDefinition II describes how to encrypt a quantum message, but for such a 
scheme to be useful, it must also be possible to decrypt the message for someone 
who knows which key k was used, i.e., it must be possible to invert the encryption 
operation. 

Definition 2. A QSR scheme given by the tuple T — {Pk, {pk}keK,£) is said 
to be invertible on the set S C B{TLs) if for every k € IC with Pic{k) > there 
exists a CPTP map Vk : BCHc) B{'Hs) such that for all density operators 
cr e 5, 

VkSipk ®(T)=a. 

Furthermore, a QSR scheme must - as its name says - randomize a quantum 
state. We define this in the same way as previous works on approximate quan- 
tum state randomization [U [2 [3] , by bounding the distance between the ciphers 
averaged over all possible choices of key and some state independent from the 
message. We however generalize this to encrypt t messages with the same key, 
because the asymmetric-key model we define [Section 2.2l will need this. It is al- 
ways possible to consider the case i = 1 in the symmetric-key model, if multiple 
uses of the same key are not desired. 

We will use the trace norm as distance measure between two states, because 
it is directly related to the probability that an optimal measurement can dis- 
tinguish between these two states, and is therefore meaningful in the context of 
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eavesdropping. The trace norm of a matrix A is defined by ||v4||tr := tr |v4| = 
tr vyfTA, which is also equal to the sum of the singular values of A. 

Definition 3. A QSR scheme given by the tuple T = {Pic,{pk}keic,£) is 
said to be {t,e) -randomizing on the set S C B(Ti.s) if there exists a density 
operator t £ B such that for all i-tuples of message density operators 

uj = (fji, . . . ,crt) e 5^^* 

||7^M-r|^,<e, (6) 
where TZ{uj) = J^k P>c{k)pk,ai <E) ■ ■ ■ <E) Pk.^t and pk,a, ^ £{pk® (Ji)- 

2.2 Quantum Asymmetric-Key Cryptosystem 

As announced in the previous section, the idea behind the quantum asymmetric- 
key cryptosystem model is that many different people hold a copy of some 
quantum state pk which serves as encryption key, and anyone who wishes to 
send a message to the originator of the encryption keys uses a quantum state 
randomization scheme, as described in lDefinition II This is depicted in [Figure 1[ 




Figure 1: Quantum asymmetric-key cryptosystem model. Bob and Charlie hold 
copies of Alice's encryption key pk- To send her a message, they encrypt it with 
the key and a given QSR scheme, and send the resulting cipher to her. An 
eavesdropper, Eve, may intercept the ciphers as well as possess some copies of 
the encryption key herself. 

If the QSR scheme used to encrypt the messages is (i, e)-randomizing and 
no more than t copies of the encryption key were released, an eavesdropper who 
intercepts the ciphers will not be able to distinguish them from some state in- 
dependent from the messages, so not get any information about these messages. 
This is however not the only attack he may perform. 
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As we consider a scenario in which copies of the encryption key are shared 
between many different people, the adversary could hold one or many of them. 
If a total of t copies of the encryption key were produced and ti were used to 
encrypt messages uj — (cri, . . . , crtj^), in the worst case we have to assume that 
the adversary has the t2 := t — ti remaining unused copies of the key. So his 
total state is 

Mk)pk,a, ® • • • Pk.a,, ® pT\ (7) 

keic 

where Pk,ai is the cipher of the message CTj encrypted with the key pk- This 
leads to the following security definition. 

Definition 4. We call a quantum asymmetric-key cryptosystem (t, e) -indistin- 
guishable on the set S C B{Hs) if for all ti £ {0, 1, . . . ,t}, t2 := t — ti, there 
exists a density operator r G B (Hq*^ (^Ti%*^) such that for all ti-tuples of 
message density operators w = (cti, . . . , crtj ) S 5^*^ 

\\p5-r\L<e, 



where is the state the adversary obtains as defined in Eq. (7) 



Remark 5. IDcfinition 41 is clearly more general than the security criteria of 
IDefinition 31 {{t, e)-randomization) as this latter corresponds to the special case 
ti = t. However, for the scheme constructed in [Section 41 the two are equivalent, 
and proving one proves the other. This is the case in particular if the encryption 
key is equal to the cipher of some specific message (Tq, i.e., pk = pk.ao = ^iPk ^ 
ctq), in which case holding an extra copy of the encryption key does not give 
more information about the decryption key than holding an extra cipher state. 



2.3 Classical Messages 

In the following sections we will also be interested in the special case of schemes 
which encrypt classical messages only. Classical messages can be represented by 
a set of mutually orthogonal quantum states, which we will take to be the basis 
states of the message Hilbert space and denote by {|s)}sg5. So these schemes 
must be invertible and randomizing on the set of basis states of the message 
Hilbert space. 

When considering classical messages only, we will simplify the notation when 
possible and represent a message by a string s instead of by its density matrix 
\s){s\, e.g., the cipher of the message s encrypted with the key pk is 

Pk^s := £ {pk ® \s){s\) . 

Remark 6. IDefinition 21 (invertibility) can be simplified when only classical 
messages are considered: a QSR scheme given by the tuple T = {Pk., {pk}keK, £) 
is invertible for the set of classical messages 5, if for every k G K, with Pfc{k) > 
the ciphers {pk,s}seS are mutually orthogonal, where pk,s ■— £ {pk \s){s\) for 
some orthonormal basis {|s)}se5 of the message Hilbert space TCs- 

We will also use a different but equivalent definition to measure how well a 
scheme can randomize a message when dealing with classical messages. This 
new security criteria allows us to simplify some proofs. 
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Definition 7. A QSR scheme given by the tuple T = {P/c, {pk}keic,S) is said 
to be (t, e) -secure for the set of classical messages S if for all probability distri- 
butions Ps^i') over the set of i-tuples of messages 5^*, 



< e, 



(8) 



where p^ ^ is the state of the joint systems of t-fold message and cipher Hilbert 
spaces, and p^ and p^ are the result of tracing out the cipher respectively 
message systems. I.e., 



' Pk,st, 



s65> 



P 



® Pk,st, 



E Ps^{s)J2Pdk)Pk,s,i 

where s = (si, . . . , St). 

This security definition can be interpreted the following way. No matter 
what the probability distribution on the secret messages is - let the adversary 
choose it - the message and cipher spaces are nearly in product form, i.e., the 
cipher gives next to no information about the message. 

The following lemma proves that this new security definition is equivalent 
to the previous one (jPefinition 3P up to a constant factor. 

Lemma 8. // a QSR scheme is {t, e) -randomizing for a set of classical messages 
S, then it is {t,2e)-secure for S. If a QSR scheme is (t,e)-secure for a set of 
classical messages S, then it is (t, 2e) -randomizing for S . 

Proof. In order to simplify the notation we will set s := (si, . . . , St) and pk,s ■= 
Pk,si ® ■ ■ ■ ® Pk.st ■ The left-hand side of Eq. (8) can then be rewritten as 



p^ ®p^ 



J2 Ps^{s)\s){s\^Y.P'^^''^P^ 



S6SX 



keic 



r)Pk,'. 



keK 



E 



SG5X 



E^kW/'M- E Pdk)Ps4r)pk^r 



k£lC 



res'"* 

keK 



(9) 



If this must be less than e for all probability distributions Pgt then for the 
distribution Pst {si) = Ps*{s2) = 1/2 for any two elements si, S2 & <5^* we have 



from Eq. (9) 



keIC keK 



< e. 
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This immediately implies (t, 2e)-randomization. 

To prove the converse we apply the triangle inequality to Eq. (9) and get 



lltr 



J2 Ps^i-'^) E p^^i' 



s65> 



reS> 



E PK.{k)pk.,s - E PK.{k)pk,; 



keIC 



By the definition of {t, e)-randomization ([Definition 3|1 and the triangle inequal- 
ity we know that 



fee/c 



keK. 



< 2e, 



for all r, s e 5^*, which concludes the proof. 



□ 



3 Lower bounds on the Key Size 

It is intuitively clear that the more copies of the encryption key state pk are 
created, the more information the adversary gets about the decryption key k € K. 
and the more insecure the scheme becomes. As it turns out, the number of copies 
of the encryption key which can be safely used is directly linked to the size of 
the decryption key, i.e., the cardinality of the decryption key set /C. 

Let us assume a QSR scheme with quantum encryption keys is used to 
encrypt classical messages of size m. Then if t copies of the encryption key 
state are released and used, the size of the total message encrypted with the 
same decryption key k is tm. We prove in this section that the decryption key 
has to be of the same size as the total message to achieve information-theoretical 
security, i.e., log|/C| > tm. In [Section 41 we then give a scheme which reaches 
this bound asymptotically. 

Theorem 9. // a QSR scheme given by the tuple T = [Pki {Pk}keK.i ^) 'is in- 
vertible for the set of classical messages S, then when t messages (si, . . . , St) are 
chosen from S with (joint) probability distribution P^t (si, . . . , St) and encrypted 
with the same key, 



P 



> 



H(5*) -H(/C) -2 
4nog|5| ' 



(10) 



where H(-) is the Shannon entropy and p^ ^' is the state of the t-fold message 
and cipher systems: 



= E Ps<s)\s){s\®Y.P^^^)P^^^^ 



■■■^ Pk,st , 



(11) 



P'^ = E Ps*{s)^ PK:{k)pk,si Pk,: 
se5>^* keK. 



where s = (si, . 



, St) 
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Proof. A theorem by Alicki and Fanes [T^] tells us that for any two states p^^ 
and CT-^^ on the joint system Hab ='Ha®Ub with 6 := \\p^^ - <T^^\\tr < 1 
and dA ■= dim?i^, 



S(p^^Ip^) -S(a^^|(T^)| <iSlogdA + 2h{S), 



(12) 



where S (p'^^lp^) ■= S (p^^) — S (p^) is the conditional Von Neumann entropy 
and h{p) := plog ^ + (1 — p) log is the binary entropy. h{S) < 1, so from 



Eg. (12) we get 



\S{p^^\p^)~S{<j^B\aB)\~2 
41ogdA 

we obtain 



By applying this to the left-hand side of Eq. (10) 



p^ ^ - p^ ® p^ 



At\og\S\ 

To prove this theorem it remains to show that 

S (p^') + S (p^') - S (p^'^') > H (5*) - H (^) . 

For this we will need the two following bounds on the Von Neumann entropy 
(see e.g, 0): 

S I ^ PxPx I >^Px^ [px) , 
\xex J xex 

^[Y.P-pA <H(A') + ^p,S(p,). 

\xex / x£X 

Equality is obtained in the second equation if the states {px}xe x are all mutually 
orthogonal. By using these bounds and Eq. (11) we see that 

S (p^'^') = H (5*) + Ps' (s) S ( ^ PK{k)pk.s, ®---® Pk,s, J 

< H (5*) + H (/C) + Picik)Ps^{s)Sipk,s,®---®Pk,s,). 



keK 



s(p^')>E^'c(fc)sf 5: Ps^{ 
keK \ses>^* 



s)pk,si (E) ■■■(E) Pk,^ 



P>^{k)Pst{s)S{pk,s,®^^^®Pk,s,)^ 



keK 



We have equality in the last line because the scheme is invertible on S, i.e., by 
IDcfinition 2l and rRemark 6l the states {pk,si ® ■ ■ ■ Pk,st}si,...,stes are mutually 
orthogonal. By putting this all together we conclude the proof. □ 
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Corollary 10. For a QSR scheme to be (t, e) -randomizing or {t, e) -indistin- 
guishable, it is necessary that 



H(/C) > (l-8e)Hogd-2, (13) 

where d is the dimension of the message Hilbert space TLs and H (/C) is the 
entropy of the decryption key. 

Proof. IDcfiuition 7l savs that for a scheme to be (t, e)-secure we need 

< e 



tr 



for all probability distributions P^t . So for the uniform distribution we get from 
[Theorem 91 that for a scheme to be (t, e)-secure we need 

H(A:) > (l-4e)nog|5| -2. 

Bv lLcmma 81 we then have the condition 

H(/C) > (l-8e)nog|5| -2 

for the scheme to be (t, e)-randomizing for the classical messages S. And as 
classical messages are a subset of quantum messages - namely an orthonormal 
basis of the message Hilbert space - this bound extends to the case of quantum 
messages on a Hilbert space of dimension ds — \S\. 

As (i, e)-randomization is a special case of {t, e)-indistinguishability, namely 
for ti = t, it is immediate that this lower bound also applies to {t, e)-indistin- 
guishability. □ 

Remark 11. Approximate quantum one-time pad schemes usually only con- 
sider the special case in which the cipher has the same dimension as the mes- 
sage [H [3- A_ more general scenario in which an ancilla is appended to the 
message is however also possible. It was proven in [BJ that for perfect security 
such an extended scheme needs a key of the same size as in the restricted sce- 
nario, namely 2\ogd. [Corollary 10| for t = 1 shows the same for approximate 
security, namely roughly logd bits of key are necessary, just as when no ancilla 
is present. 



4 Near-Optimal Scheme 

To simplify the presentation of the QSR scheme, we first define it for classical 
messages in [Section 4.H show that it is invertible and find a bound on t, the 
number of copies of the encryption key which can be released, for it to be (t, e)- 
randomizing for an exponentially small e. In lScction 4.21 we extend the scheme 
to encrypt any quantum message of a given size, and show again that it is 
invertible and randomizing. And finally in [Section 4.31 we calculate the size of 
the key necessary to encrypt a message of a given length, and show that it is 
nearly asymptotically equal to the lower bound found in [Section 31 
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4.1 Classical Messages 

Without loss of generality, let the message space be of dimension diniHs — 
2™. The classical messages can then be represented by strings of length m, 
S := {0, 1}™. We now define a QSR scheme which uses encryption key states 
of dimension dimTi^j- = 2™"*"", where n is a security parameter, i.e., the scheme 
will be {t, e)-randomizing for e = 2~®("). 

We define the set of decryption keys to be the set of all {m x n) binary 
matrices, 

/C := {0,1}"^". (14) 

This set has size \JC\ = 2™" and each key is chosen with uniform probability. 
For every decryption key A d )C the corresponding encryption key is defined 

as 

\^X:^){Ax,x\, (15) 

xe{oa}" 

where Ax is the multiplication of the matrix A with the vector x. 

The encryption operator £ : B{Hk ^Ti-s) B{Hc) consists in applying the 
unitary 

U:= Yl \y(Ss,x){y,x\''\s){sf 
s,!/e{o,i}" 

and tracing out the message system S", i.e., 

PA,s :=tr5([/(pf ® t/t 
This results in the cipher for the message s being 



PA. 2. 



PA,. 2 



^ J2 \Ax®s,x){Ax®s,x\. (16) 
xe{o,i}" 

These states are mutually orthogonal for different messages s so by IRemark"6l 
this scheme is invertible. 

We now show that this scheme is (t, e)-randomizing for e = 2^'^"+^ and 
< = (1 - (5)71, < (5 < 1. 

Theorem 12. For the QSR scheme defined above in Eqs. \ (14)\ \(^5)\ and \(16)\ 
there exists a density operator t G B{1-L®^) such that for all t-tuples of messages 
s = (si, . . . , St) e ift={l- 5)n, < (5 < 1, then 

\\1s-t\\,,<2-'-+\ 

where is the encryption of s with this scheme averaged over all possible keys, 
i.e., 

7. = X! (17) 

AeK 

Proof. The r in question is the fully mixed state t — ^tirt+n) ^- By placing the 
values of the ciphers from |Eq. (16) in Eq. (17) we get 

Is = 2mn2tn \. Axi (B Si, Xi, ...){..., Axi (B Si, Xi, ... \. 

xi,...,xt£{0,l}" 
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A unitary performing bit flips can take 7^ to 7^ for any s, r G 5*, so 



1 



7s 



and it is sufficient to evaluate 

1 



1 



70 ■ 



2t(m-\-n) 



E 

eeEVcc(7o) 



(18) 



where e are the eigenvectors of 70 and We the corresponding eigenvalues. 
So we need to calculate the eigenvalues of 



1 



70 



E 



\Axi,xi, . . . ,Axt,xt){Axi,xi, . . .,Axt,xt\. (19) 



xi,...,XtiE{0,iy 



Let us fix xi, . . . , Xi. It is immediate from the linearity of Ax that if exactly d 
of the vectors {xi}l^^ are linearly independent, then 



E 

Ae{o,i}" 



\Axi,xi, . . . , Axt,xt){Axi,xi, . . . ,Axt,xt\ 



uniformly spans a space of dimension 2 , and for different values of xi 
these subspaces are all mutually orthogonal. Let Dt be the random variable 
representing the number of independent vectors amongst t binary vectors of 
length n, when chosen uniformly at random, and let P^t (d) = Pr[Z?t = d] be the 
probability that exactly d of these vectors are linearly independent. The matrix 
given in Eq. (19) then has exactly 2*"Pdj (d)2''™ eigenvectors with eigenvalue 
^dJ^2ti ; foi' < d < t. The remaining eigenvectors have eigenvalue 0. 



So Eq. (18) becomes 



E 

eeEVec(pl') 



1 



2^ (m+n) 



= 2^2*"PD,(d)2'*" 



d=0 
t 



ti=0 
t-1 

d=0 



For t = {1- S)n, < (5 < 1, we have for all s € 5* 



-Sn+l 



□ 



Corollary 13. An asymmetric-key cryptosystem using this QSR scheme is 
{t, e) -indistinguishable {Definition 4^ for e = 2^"^"+^ andt = {\ — 5)n, < (5 < 1. 

Proof. As noted in [Section 2. 21 this scheme is such that the encryption keys are 

identical to the ciphers of the message 0, pfe^o = Pk = ^ X]a;e{o 1}" \Ax,x){AxtX\. 
So if ti copies of the encryption key were used to encrypt the messages s = 



13 



(si, . . . , Stj) and the adversary holds these ciphers and the t2 — t — ti extra 
copies of the encryption key, 




Then pf = 7,. for r = (si, . . . , s*, , 0, . . . , 0) and bv lTheorem 12l hr - rjltr < 



4.2 Quantum Messages 

We will now extend the encryption scheme given above to encrypt any quantum 
state, not only classical ones. To do this we will show how to combine a QSR 
scheme with quantum keys which is (t, ei )-randomizing for classical messages 
(like the one from [Section 4.1[) with a QSR scheme with classical keys which is 
(1, e2)-randomizing for quantum states (which is the case of any standard QSR 
scheme, e.g., [H O [U [H [3 H] ) to produce a QSR scheme which is {t, ei + t€2)- 
randomizing. The general idea is to choose a classical key for the second scheme 
at random, encrypt the quantum message with this scheme, then encrypt the 
classical key with the quantum encryption key of the first scheme, and send 
both ciphers. 

Theorem 14. Let a QSR scheme with quantum keys be given by the tuple 
Ti = {Pfc,{pk}keK,£), where £ : B{Hk (S> Hs) ^ B{Hc), and let a QSR 
scheme with classical keys be given by the tuple T2 = {jF^jsgs), where 
Ts '■ B(Ti.ii) ~^ B{'Hd)- We combine the two to produce the QSR scheme with 
quantum encryption keys given by T3 = (Pki {Pfe}fceK:i where Q : B{Hk ^ 
Hr) — > B{Hc ® 'Hd) is defined by 



If Ti forms a quantum asymmetric-key cryptosystem which is invertible and 
(t, ei) -indistinguishable (respectively randomizing) for the basis states of Tig and 
T2 is an invertible and (l, €2) -randomizing QSR scheme for any state on TLr, 
then T3 forms an invertible and (i, ei -\- te2) -indistinguishable (respectively ran- 
domizing) cryptosystem for all density operator messages on TLr. 

Proof. The invertibility of the scheme formed with T3 is immediate. To prove 
the indistinguishability we need to show that for all ti e {0,1,..., i}, ^2 '■— 
t-ti, there exists a density operator t e B (Wg*' «> 7^^*" «) Tif,*^) such that 
for all ti-tuples of message density operators uj = (ci, . . . , CTtJ € B{Hr)^*^ , 
WpS - T\\tr < e, where = J^keic P'cik)G{pk (Ji) ® ■ ■ ■ (S) G{pk ® (Tt,) ® p*^ . 

Let us write 7s := Y.k£K PK.{k)pk,sx®- ■ ■'^Pk.st^'^pT^ , where s = (si, . . . , Sf J 
and pk,si = £{pk® \si){si\), and p.a := Y.ses Psis)Ts{cr). And let n and T2 be 
the two states such that ||7s — Ti||tr < ei and \\p.a- — T2\\tr < £2 for all s and a 
respectively. We define ■— Is — ti and r := ti (g) t®*\ Then by the triangle 



e. 



□ 



g{pk (g,a):=Y^ Psis)£ (pk ® \s){s\) (g, Ts{u). 



(20) 
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inequality and changing the order of the registers 



M tr — 



+ ||Tl «) (g) • • • (g) flat^ - 

< ei + tie2. 

As (t, e)-randomization is a special case of (t, e)-indistinguishability, namely 
for tl — t, it is immediate from [Theorem 141 that T3 is also (t, ei + te2)- 
randomizing. □ 



4.3 Key Size 



To construct the QSR scheme for quantum messages as described in lSection 4.21 
we combine the scheme for classical messages from [Section 4.l] and the approx- 
imate one-time pad scheme of Dickinson and Nayak [3| . 

The scheme from [Section 4.ll is (t, ei)-randomizing for t = (1 — d)n and 
ci = 2~'^"+i, and uses a key with entropy H (/C) = nm = {t + log ^ + l)m. The 
scheme of Dickinson and Nayak 3^ is (1, e2)-i'andomizing and uses a key with 
entropy m = log d + log ^ -t- 4 to encrypt a quantum state of dimension d. So 
by combining these our final scheme is (i, ei -I- te2)-randomizing and uses a key 
with entropy 

H(/C) = (i + log- + l)(logrf + log-+4) 

to encrypt t states of dimension d. By choosing ei and 62 to be polynomial 
in i and respectively, the key has size H (/C) = tlogd -f o(i logd), which 



nearly reaches the asymptotic optimality found in Eq. (13) namely H (/C) > 
(1 — 8e)t\ogd~ 2. Exponential security can be achieved at the cost of a slightly 
reduced asymptotic efficiency. For ei = 2~^^* and €2 = d^^^ for some small 
61,62 > 0, the key has size H (/C) = (1 + 6i){l + 62)t log d + o{t log d). 



5 Consequence for Quantum Keys 

The scheme presented in ISection"4l uses the encryption keys 



I Y \Ax.x){Ax,x\, (21) 



PA 2 

a:e{0,l}" 

for some (m x n)-matrix decryption key A. Although these keys are written 
as quantum states using the bra-ket notation to fit in the framework for QSR 
schemes with quantum keys developed in the previous sections, the states from 



Eq. (21) are all diagonal in the computational basis. So they are classical and 
could have been represented by a classical random variable Xa which takes the 
value {Ax,x) with probability 2^". 
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This scheme meets the optimahty bound on the key size from [Section "3l 
This bound tells us that for a given set of decryption keys /C, no matter how 
the encryption keys {pk}kGK are constructed, the number of copies of the en- 
cryption keys which can be created, t, and the dimension of the messages which 
can be encrypted, d, have to be such that tlogd < H (/C) for the scheme to 
be information-theoretically secure. From the construction of the scheme in 
[Section "4l we know that this bound is met by a scheme using classical keys. 
Hence no scheme using quantum keys can perform better. So using quantum 
keys in a quantum state randomization scheme has no advantage with respect 
to the message size and number of usages of the same key over classical keys. 

This result applies to both the symmetric-key and asymmetric-key models as 
the optimality was shown with respect to both (i, e)-randomization (jPcfinition 3p 
and {t, e)-indistinguishability (jPcfinition 4[) . the security definitions for the sym- 
metric-key and asymmetric-key models respectively. 

Quantum keys may however have other advantages over classical keys. For 
example, the scheme proposed in [Section 41 is not optimal in the dimension of 
the encryption keys pk- If the dimension of these keys can be reduced and 
quantum memory becomes the norm, they could be less resource consuming 
than classical keys. So encryption schemes using quantum keys cannot yet be 
dismissed. 
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